This schedule to the UpGuard Hosted Services Agreement (“HSA”) between Company and Customer, sets forth the terms and conditions under which Company will provide Risk Assessment Reports to Customer. Capitalized terms used in this Schedule that are not defined herein have the meaning as set forth in the UpGuard HSA.
- Definitions
- “Managed Vendors” means a vendor identified by the Customer upon which the Company will conduct a Security Risk Assessment.
- “Risk Assessment” or “Risk Assessment Report” means a standardized report regarding a Managed Vendor, and which contains: an executive summary of the Managed Vendor’s key risk areas and compliance status; an assessment of the Managed Vendor’s operational landscape, historical risk incidents; risk findings that are grouped by relevant domains; and risk mappings to a standardized set of domains and controls. The substance, form, and format of the Risk Assessment Report is determined by UpGuard.
- “Standard Questionnaire” means a standardized questionnaire which covers a range of security domains, and enables Company to effectively assess compliance across standard risk categories. The Standard Questionnaire is built in alignment with ISO27001 and NIST frameworks.
- “UpGuard Analyst” means an individual responsible for generating Risk Assessment Reports for the Customer.
- Obligations
- During the term specified in an applicable Order Form, Company shall provide to Customer up to the number of Risk Assessment Reports specified in such Order Form, in each case as requested by Customer and fulfilled by Company pursuant to the process set forth below. Any Risk Assessment Reports that are not completed pursuant to the terms of this Schedule upon the annual expiration of an Order Form shall be forfeited and non-refundable.
- Process
- A request for a Risk Assessment Report shall be initiated by Customer by completing an assessment request in the Managed Vendors section of the UpGuard Platform. In initiating such request, Customer shall provide any and all information detailed in the Managed Vendor Assessment section of the UpGuard Platform (“Customer Provided Information”).
- Company shall, within seventy-two (72) hours of receiving Customer’s request, notify the Managed Vendor regarding Customer’s request for a Risk Assessment Report and request the Managed Vendor provide any relevant documentation via the UpGuard Platform (such information “Managed Vendor Documentation”)
- Company shall use Customer Provided Information, Managed Vendor Documentation, and other relevant documentation to prepopulate UpGuard’s Standard Questionnaire.
- If Customer Provided Information, Managed Vendor Documentation, and other information available to Company are insufficient to complete the Standard Questionnaire, Company shall contact the Managed Vendor and request they complete the Standard Questionnaire on the UpGuard Platform.
- Upon receipt of the completed Standard Questionnaire, Company shall prepare and finalize the Risk Assessment Report. Customer will receive an in-app notification when the Risk Assessment Report is available for download via the UpGuard Platform.
- Company will accommodate changes to the delivered Risk Assessment due to any unforeseen errors in risks highlighted and spelling or grammatical errors for a period of ten (10) Business Days from the date the Risk Assessment is submitted to the Customer.
- Additional Requirements
- A single Risk Assessment Report is provided for each requested Managed Vendor. Any additional report for a Managed Vendor shall constitute an additional Risk Assessment specified in an Order Form.
- Company shall, at Customer’s request, provide up to one 30 minute kick-off training session with an UpGuard Analyst and one 60 minute scoping session with an UpGuard Analyst. For the avoidance of doubt, the UpGuard Analyst assigned to Customer is non-dedicated and may be subject to change based on availability.
- Company will use reasonable efforts to coordinate with each Managed Vendor to complete the Standard Questionnaire with respect to any identified gaps, missing security documents, questionnaire responses, and flagged risks requiring Managed Vendor input and validation. Customer and Company acknowledge and agree that completion of the Standard Questionnaire and the provision of Managed Vendor Documentation is a requirement to the provision of a Risk Assessment Report. In the event that a Standard Questionnaire is not completed and the Managed Vendor Documentation is not provided by a Managed Vendor, Company shall not be required provide a Risk Assessment Report regarding the Managed Vendor, and such Risk Assessment Report may, subject to the requirements set forth herein, including the timing of requests and the total number purchased pursuant to an Order Form, be reallocated to different Managed Vendor.
- Customer acknowledges and agrees that Company shall employ the Open AI API or other equivalent service, for utilizing the Customer Provided Information and Managed Vendor Documentation in the process of generating the Risk Assessment Reports. No alternative methods will be used or accepted by the Company. In the event that a Managed Vendor objects to the use of the Open AI API or equivalent service, the related Risk Assessment Report may, subject to the requirements set forth herein, including the timing of requests and the total number purchased pursuant to an Order Form, be reallocated to different Managed Vendors.
- Service Levels
- Any Customer requests for a Risk Assessment must be provided within a reasonable time, and no less than thirty (30) days prior to the end of the applicable Order Form. Any request for a Risk Assessment Report not provided within a reasonable time prior to the annual expiration of the relevant Order Form is forfeited and non-refundable. UpGuard in its sole discretion will determine what is considered a reasonable time for a Customer to request a Risk Assessment.
- Subject to the limitations set forth in this Schedule and expressly below, Company shall complete each Risk Assessment Report within ten (10) days of receipt of a request to initiate a Risk Assessment Report (the “Report Completion Time”). For the avoidance of doubt, Company’s provision of a Risk Assessment Report by the Report Completion time is subject to:some text
- Customer initiating the request for a Risk Assessment Report at least thirty (30) days prior to the annual expiry of the relevant Order Form;
- Customer’s provision of all relevant Customer Provided Information; and
- The completion of the relevant Standard Questionnaire by the Managed Vendor along with the provision of all required supporting documentation, within a reasonable time.
- Unless expressly stipulated in an applicable Order Form, Customer may request no more than ten (10) Risk Assessments per month, and Company shall not be obligated to generate more than ten (10) Risk Assessments per month. In the event Customer requires additional Risk Assessments to be allocated for any given month, Customer must consult with Company prior to such request. Company reserves the right to assess its capacity and workload before approving any additional Risk Assessment requests beyond the agreed-upon allocation. Company shall not be held liable for any delays or deficiencies in service resulting from the Customer's failure to adhere to the provisions outlined in this section.
- Intellectual Property
- Each party retains all right, title, and interest to any and all intellectual property rights which are pre-existing at the Effective date of the Hosted Services Agreement (“Pre-Existing IP”). Customer Provided Information shall constitute Pre-Existing IP of Customer. Customer hereby grants to Company a non-revocable, non-exclusive, royalty-free license (including a right to sub-licence) to use any Customer Provided Information and any other Pre-Existing IP in conjunction with, or for the purposes of, providing and utilizing the Risk Assessments.
- The parties agree that, as between the parties, all rights and title to any generated Risk Assessment Report are owned by Company. Company hereby grants to Customer a non-revocable, non-exclusive, royalty-free license to use the Risk Assessment Reports for Customer’s internal business purposes.
- Warranties and Indemnities
- To the maximum extent permitted by law Company’s warranties are limited to those set out in the Hosted Services Agreement and this schedule, and all other conditions, guarantees or warranties whether expressed or implied by statute or otherwise are expressly excluded.
- EXCEPT FOR THE WARRANTIES EXPRESSLY CONTAINED IN THE HOSTED SERVICES AGREEMENT AND THIS SCHEDULE, COMPANY DISCLAIMS ANY WARRANTY THAT THE SERVICES DESCRIBED HEREIN WILL BE ERROR FREE OR UNINTERRUPTED OR THAT ALL ERRORS WILL BE CORRECTED. COMPANY FURTHER DISCLAIMS ANY AND ALL WARRANTIES WITH RESPECT TO SERVICES DESCRIBED HEREIN AS TO MERCHANTABILITY, ACCURACY OF ANY INFORMATION PROVIDED, FITNESS FOR A PARTICULAR PURPOSE, INCLUDING FULFILLING A STATUTORY ROLE, SPECIFIC REQUIREMENTS OR RESPONSIBILITY OF THE CUSTOMER, OR NON-INFRINGEMENT. COMPANY FURTHER DISCLAIMS ANY AND ALL WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM COMPANY OR ELSEWHERE SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.
- Customer warrants that the provision of any Customer Provided Information will not constitute an infringement of any Intellectual Property rights of a third party.
- Customer shall defend Company Indemnitees, from and against any action or suit brought against a Company Indemnitee by a third party in connection with any Customer Provided Information or data input into the UpGuard Platform by Customer including, but not limited to, a claim that such Customer Provide Information or data infringes or misappropriates any Intellectual Property Rights of a third party, and will pay any costs, damages and reasonable attorneys’ fees attributable to such claim that are awarded in final judgment against or paid in settlement by Company. Customer’s obligations are contingent upon: (a) Company providing Customer with prompt written notice of such claim; (b) Company providing reasonable cooperation to Customer, at Customer’s expense, in the defense and settlement of such claim; and (c) Customer having sole authority to defend or settle such claim.
- Fees, Commercials And Payment Schedule
- All fees are specified in the applicable Order Form and are subject to the terms and conditions of the Order Form and Hosted Services Agreement. The Customer will be invoiced upfront for the amount specified.
- Customer may purchase additional Risk Assessment Reports from the Company, provided quantities are purchased in a minimum of 10 units.